July 20, 2024

Hello all,

It started out as a normal week with a few critical updates, and the normal onslaught of attacks, vulnerability reveals, and good-guy victories. Then Friday came.

If you’ve been on vacation, or oblivious to the news, in the wee hours of Friday morning, CrowdStrike (a US based cybersecurity vendor used by most of the Fortune 500, Governments, and other companies worldwide) released a critical update for their Falcon Security-as-a-Service product. Unfortunately, it appears it was not vetted, as global chaos ensued when 8.5 million Microsoft Windows workstations and servers promptly went into a Blue Screen of Death (BSOD) boot-loop. CrowdStrike fixed the update within 90 minutes of release, but the damage was done. To stop the BSOD the systems must either be restored to a point prior to the update, or the update file needs to be removed. The catch is that few automated methods exist, necessitating systems to be fixed manually, one at a time. More details about this incident, mitigation steps, recovery efforts, fallout, and more are in our various links below.

Read on for additional information regarding CrowdStrike and for other news items from this past week, paying particular attention to any vulnerabilities in products that you have responsibility over.

The volume of news and other can appear overwhelming, the best strategy is to read the Notable Callouts below and then skim the full list of linked news item titles that follow for things that pertain to you or your environment or simply interest you, and then selecting them for more information. So, let’s get to it. And don’t forget, our site, https://red-n-security.com also has searchable archives of past newsletters.

Notable Callouts:

• Cisco revealed and patched two separate issues this week. The first is in Smart Software Manager (SSM) On-Prem and Satellite. It scored a perfect 10 out of 10 in CVSS and allows an unauthenticated attacker to change passwords. So, if you use this patch immediately! The second is for their Security Email Gateway (SEG) appliances. This one is also critical in that if exploited, it allows the attacker to create new users with root permissions. If that’s done, game over. Patch now.
• CrowdStrike garnered a number of links in our newsletter this week. This particular link deals with the immediate world-wide impact of so many critical systems BSODing simultaneously. Flights, railways, banks, hospitals, mass-transit systems, retailers, Starbucks (oh no! Coffee!), news broadcasters, government emergency services, and the list goes on, were taken offline or crippled. For companies affected, it was catastrophic. The economic impact will take some time to tally, especially as recovery efforts are still underway.
• Exim, a mail transfer agent used by 1.5 million servers worldwide has a flaw that allows malicious emails to pass through. Update as soon as you’re able to plug this hole.
• Google Chrome received an update on Friday, you can be excused if you didn’t notice. But it is a very important one that plugs multiple vulnerabilities, some of which can allow a threat actor Remotely Code Execution (RCE). Check your browser for any updates and restart it after applying them. Expect that other Chromium based browsers will be following suit soon and plan to update them when their patches come out.
• Juniper continues to fix vulnerabilities; this week it is a bug in Junos OS that enables authenticated attackers to gain root access. While not pants-on-fire, this should be patched as soon as is practical. Threat actors are quite good at chaining vulnerabilities to achieve their evil goals.
• Microsoft cloud outage causes airlines to ground flights reads the headline. While this is partially correct, the root cause was CrowdStrike Falcon taking down the systems needed for tracking and managing those flights. “Across the globe, 4,983 flights were canceled and another 43,826 were delayed, according to FlightAware data as of 11:30 p.m. Friday evening.” It was a very bad day to be a traveler.
• SolarWinds has released patches for Access Rights Manager (ARM). There is a rather large list of flaws addressed. They are quite severe, so if you use this, patch now.
• Splunk has a critical flaw in Splunk Enterprise on Windows that allows passwords to be accessed by threat actors. Mitigation instructions exist, and an update to patch is available as well.

In Ransomware, Malware, and Vulnerabilities News:

• CrowdStrike is now top-of-mind for many IT professionals. Opportunistic threat actors have jumped onto this like a pack of ravenous hyenas and are offering “automated fixes” to remediate the issue, with software, scripts, and “updates” laced with malware and back-door software. Hundreds of look-alike CrowdStrike domains have been registered by them for phishing campaigns. Be very wary of geeks bearing gifts.
• 300 arrests made, “The arrests — made across five continents — came as part of Operation Jackal III, Interpol said in a statement, which ran from April 10 to July 3.” Police and authorities were able to seize millions in ill-gotten goods, and cryptocurrency. Yay for the good guys!

In Other News Events of Note and Interest:

• CrowdStrike’s incident has several links in this section. Descriptions of the issue, suggested remediations, analysis, talks of government regulation, and deeper dives.
• Parts of Tonga without internet, in a dumbfounding move, officials in the government of Tonga ordered StarLink to prevent service in their island nation until they obtained a license to operate. That was done despite the nation being almost completely cut off from the internet due to several undersea cable cuts. Bureaucracy gone amok if you ask me. If anything called for a temporary exemption, this situation would certainly be it.

In Cyber Insurance News:

• Insurers face business interruption claims, talks about how the CrowdStrike incident is going to reach into the insurance market to attempt some compensation. Does your policy cover this type of interruption? If you were affected, I pray it did, if you weren’t, now is the time to check and add it if you don’t have it.

My prayers go out to those cyber warriors wading through the morass of remediating the CrowdStrike Falcon disaster. There is a light at the end of the tunnel, it just may take a while to get there, don’t give up. I’ve used the word Incident a few times in this week’s news in connection with the global outage caused by this faulty update. And it truly is an Incident in the technical sense of the word. Which leads to the question, “Does your Incident Response Plan (IRP) cover this type of event?” If not, time to update. While you’re at it, update your Disaster Recovery Plan (DRP) to cover such an Incident. It is vital to know who will do what, before something occurs, so that you are not left scrambling, God-forbid, it happens to you.

Keep the shields up. They really are out to get you, sometimes by accident.

 

Viscount Jan Broucinek
Red-N Weekly Cyber Security News

 

Headline NEWS

• Critical Cisco bug allows criminals to change admin passwords
• Critical Cisco bug lets hackers add root users on SEG devices
• CrowdStrike update glitch disrupts flights and banking around the world
• Critical Exim vulnerability facilitates malware delivery
• Chrome Security Update: Patch for Multiple Vulnerabilities Allows RCE
• Juniper Junos OS Flaw Let Attackers Gain Full ‘Root’ Access
• Microsoft cloud outage causes airlines to ground flights
• SolarWinds fixes 8 critical bugs in access rights audit software
• Critical Splunk flaw can be exploited to grab passwords

 

Ransomware, Malware, and Vulnerabilities News

• Don’t Fall for It: Hackers Pounce on CrowdStrike Outage With Phishing Emails
• 300 arrests made in crackdown of West African cyber fraud group
• Russian duo confess to cyber heist that forced $500 million in ransom payments
• Former CIA analyst charged for acting as secret agent for South Korean intel in exchange for gifts
• Police arrest a teenage boy in connection with the MGM Resorts ransomware attack
• Inside the world’s largest ‘live-fire’ cyber-defense exercise
• AT&T reportedly gave $370,000 to a hacker to delete its stolen customer data
• AT&T ransom laundered through mixers, gambling services
• Artificial Intelligence (AI) Deepfake Video Scams Steal $273,350 From Three Men: Report
• CISA Warns of Actively Exploited RCE Flaw in GeoServer GeoTools Software
• ICO Slams Hackney, UK Council For ‘Avoidable’ Cyber Attack
• DHS watchdog rebukes CISA and law enforcement training center for failing to protect data
• Disney “breached”, data dumped online
• Yacht giant MarineMax data breach impacts over 123,000 people
• Thousands of Life360 users have data leaked following breach
• The biggest data breaches in 2024: 1 billion stolen records and rising
• Number of data breach victims up 490% in first half of 2024
• Revolver Rabbit gang registers 500,000 domains for malware campaigns
• BianLian Ransomware Leveraging RDP Credentials To Gain Initial Access
• 20 Million Trusted Domains Vulnerable to Email Hosting Exploits
• TAG-100: New Threat Actor Uses Open-Source Tools for Widespread Attacks
• Russia’s FIN7 is peddling its EDR-nerfing malware to ransomware gangs
• Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer
• Oracle Patches 240 Vulnerabilities With July 2024 CPU
• Facebook ads for Windows desktop themes push info-stealing malware
• What is malvertising? And how to protect yourself against it
• Linksys Velop Routers Caught Sending WiFi Creds In The Clear
• Port Shadow Attack Allows VPN Traffic Interception, Redirection
• Chromium browsers have been quietly sending user information to Google
• TeamViewer: Network segmentation hobbled Midnight Blizzard’s attack
• Snowflake Account Attacks Driven by Exposed Legitimate Credentials
• Phishing scam costs City of Memphis $773K
• New phishing tactic hijacks email protections to mask links
• New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns
• DarkGate, the Swiss Army knife of malware, sees boom after rival Qbot crushed
• Microsoft links Scattered Spider hackers to Qilin ransomware attacks
• New HardBit Ransomware 4.0 Uses Passphrase Protection to Evade Detection
• SEXi ransomware rebrands to APT INC, continues VMware ESXi attacks
• Furniture giant shuts down manufacturing facilities after ransomware attack
• Ransomware continues to pile on costs for critical infrastructure victims
• Southern California trial court hit by ransomware attack
• Cyberattack leaves Allegheny County District Attorney’s Office with limited communication
• Samba file shares leveraged to facilitate DarkGate malware delivery
• Here’s how carefully concealed backdoor in fake AWS files escaped mainstream notice
• 10,000 Victims a Day: Infostealer Garden of Low-Hanging Fruit
• Microsoft Says Windows Not Impacted by regreSSHion as Second OpenSSH Bug Is Found
• WordPress Plugin Flaw Let Attackers Seize Administrative Control

 

Other News Events of Note and Interest

• Cool Tool: I bet you don’t know about this excellent free video editor
• Synchron hooks up human brain direct to AI
• CrowdStrike tech meltdown reveals a security nightmare CISOs say forces them to make risky trade-offs every day
• Major Windows BSOD issue takes banks, airlines, and broadcasters offline
• Microsoft’s ‘Blue Screen of Death’ makes a return to computers around the world
• Microsoft on CrowdStrike outage: have you tried turning it off and on? (15 times)
• CrowdStrike IT outage affected 8.5 million Windows devices, Microsoft says
• What is CrowdStrike, and what happened?
• Why It’s Taking Time for Companies to Recover From CrowdStrike Outage
• Torres proposes bill to codify cyber board after Crowdstrike meltdown
• Apple tells over a billion iPhone users to stop using Chrome — here’s Google’s response
• US discovery paves way for extremely fast and compact computer memory
• Giving People An Owl-like Visual Field Via VR Feels Surprisingly Natural
• CSA updates its vendor-neutral cloud security training with CCSK v5 release
• VirtualBox fixes TPM Windows event viewer bug, shared clipboard issue, adds UEFI certs
• Kaspersky Lab shutting down U.S. operations after Commerce ban
• Kaspersky gives US customers six months free security software as a farewell
• SentinelOne Partners with CISA to Enable Government-Wide Cyber Defense
• Most SEC charges dismissed in SolarWinds hack case
• Google in talks for $23 billion deal with Wiz
• Google’s shortened links will stop working next year
• Full screen security warnings coming to Google Chrome
• Singapore Banks to Phase Out OTPs for Online Logins Within 3 Months
• Parts of Tonga without internet after cables damaged and Starlink ordered to cease operations
• World’s first bricklayer robot that boosts construction speed enters US
• June Windows Server updates break Microsoft 365 Defender features
• China’s internet cleanup campaigns are going so well it needs a new one to protect kids
• ZDI shames Microsoft for – yet another – coordinated vulnerability disclosure snafu
• Exchange Online Gets Inbound SMTP DANE with DNSSEC
• Microsoft: Windows 11 23H2 now available for all eligible devices
• Microsoft confirms Windows 11 24H2 arrives late 2024 on Intel, AMD PCs
• Microsoft issues temporary fix for Photos app not opening in Windows 11
• Microsoft finally fixes Outlook alerts bug caused by December updates
• Microsoft makes major Windows 11 24H2, Server 2025 change with checkpoint cumulative updates
• Microsoft’s WSL 2.3.11 Brings “Hundreds Of New Kernel Modules” & New Features
• Microsoft has let its AI-powered Designer app out of preview mode

 

Cyber Insurance News

• Tech Outage Spurs Insurance Clients to Ready Cyber Claims
• Why Cyber Insurance plans may need to include buggy software updates
• Insurers face business interruption claims after global tech outage
• Supply chain attacks are rising – how can brokers help?